Security Practices question

• Previous message (by thread): Really, really, really off topic, but (was Re: Security Practices question)
• Next message (by thread): Security Practices question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Hello John,

Sunday, September 22, 2002, 6:22:11 PM, you wrote:


JMB> I have question for the security community on NANOG.

JMB> What is your learned opinion of having host accounts
JMB> (unix machines) with UID/GID of 0:0

I'm not sure my opinion is learned, but I would say it is a bad idea.
The vast majority of users do not need all of the privileges that
root access provides.  The reason that *nix systems have different
users and groups is to give them different levels of access.

In addition, if there are specific programs that need to be run by a
user which require root access and administrator can use sudo
(http://www.courtesan.com/sudo/) to give faux root access, without
having to divulge the root password.


JMB> The argument is that way you don't hav to give out the root password,
JMB> you can just nuke a users UID=0 equiv account when the leave and not
JMB> have to change the real root account.

That is an invalid argument for three reasons:

1. As soon as a user leaves an organization, their accounts should be
deleted -- that should be SOP at all companies.  If you do not allow
the root account to connect directly (ie you cannot SSH to the server
directly as root -- you have to connect as another user and su) when
you delete the user's account they cannot gain root access.

2. You should be rotating your root password often enough that users
would be accustomed to a password change.

3.  The only users who should be able to gain root access to a system
are those in the root wheel, at the very least accounts in the root
wheel should be monitored closely and rotated in and out of the wheel
as necessary.


Hope this helps.



allan
- --
Allan Liska
allan at allan.org
http://www.allan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAPY5Jl3+n87oa5a9VAQHB+AQAhv2sIrAqs0HPUqYPWKxFheDk97lya1fs
fS9XZ07mJ+M0Lds0PzDC8k2GL8T8hQrOaCeMckkE9+ssP5SuqVY/bZqGGsltkz79
o7/lT24BE+lpLFXVYddFQaUa9DH1i1wDtpigBxY1PJI014ZRViSS51ydz1X8RBvQ
4Zprc4g6tGo=
=Y2iu
-----END PGP SIGNATURE-----

• Previous message (by thread): Really, really, really off topic, but (was Re: Security Practices question)
• Next message (by thread): Security Practices question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]